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(57)Abstract: 




PROBLEM TO BE SOLVED: To provide a 
further flexibility in sorting and demultiplexing 
of packet in a network protocol stack. 



SOLUTION: A packet sorting and processing 



'are enlarged by obtaining an external 
information from the application scheduled 
outside the scope of kernel transfer or an 



interrupt context. In one embodiment, the 

external information may enlarge a reference of 
node in a sorting tree with an additional 
information. An enlargement technique for 
extending the sorting process is provided until 
the completion of application scheduled outside 
the scope of kernel transfer or the interrupt 



context. The resultant external information is used for enlarging the packet sorting. In 
the other embodiment, the external information may include authorization of sender of 
the packet by correlating a tunnel ID with a user ID or using s/ident for an 
authorization of out-of-band. The sort process allows a site policy to practice. 



[Claim(s)] 

[Claim l]It is a method characterized by comprising the following of classifying a data 
packet, and is a root node of a sorting tree. 
A step which receives a data packet. 

A step which delivers said data packet to each child of said 1st tree level continuously 
until the 1st child of the 1st tree level of said sorting tree shows that said 1st child's 
node standard is satisfied. 

A step at which said 1st child forms said data packet in a conformity packet. 
A step which repeats delivery and a formation step to said following tree level until the 
1st child of the following tree level in the continuing following level stops satisfying a 
node standard of said 1st child of said following tree level. 

[Claim 2]A way according to claim 1 said step to deUver contains a step which performs 
a code set which returns status directions. 
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[Claim 3]A way according to claim 1 said step to form contains a step as which said 1st 
child specifies a code set performed succeedingly. 

[Claim 4]A way according to claim 3 said step to specify contains a step which specifies a 
code set performed following satisfaction. 

[Claim 5]A method according to claim 1 containing a step which adds at least 1 node to 
at least 1 level of said sorting tree dynamically. 

[Claim 6]A way according to claim 5 said at least one new child node is the RealAudio 
node. 

[Claim 7]A method characterized by comprising the following of classifying a packet. 

A step which postpones an on-going packet classification process to said packet. 

A step which acquires external information used in said classification. 

[Claim 8]A way according to claim 7 said step to gain contains a step which enlarges a 

node standard of a node in a sorting tree by said external information. 

[Claim 9]A way according to claim 8 said external information includes discernment of 

dispatch origin of said packet. 

[Claim 10]A way according to claim 8 said external information includes attestation of 
dispatch origin of said packet. 

[Claim ll]A way according to claim 7 a classification process is an extensible 
classification child process. 

[Claim 12]A method according to claim 1 of analyzing the syntax of said conformity 
packet and containing a step which generates pertinent information. 
[Claim 13] A method according to claim 1 containing a step which changes said 
conformity packet into a conversion packet. 

[Claim 14]A method according to claim 1 containing a step which relates said packet 
with the last child [ 1st ] who shows satisfaction. 

[Claim 15]A method according to claim 14 of containing a step which performs a code set 
according to the 1st child of said last. 

[Claim 16]A method according to claim 1 containing a step which opts for treatment of 
said data packet. 

[Claim 17]A step which is the method of opting for treatment of a packet received in a 
child node, and passes the 1st treatment of said packet and this packet to an external 
process, A way said external process contains a step which enlarges packet treatment, 
and a step which returns an enlargement packet and enlargement treatment to said 
child node using a means of process specification. 

[Claim 18]A method according to claim 17 containing a step which postpones an 
on-going treatment process to said packet. 

3 



[Claim 19]A way according to clElim 18 said enlargement treatment includes 
discernment of dispatch origin of said packet. 

[Claim 20]A way according to claim 18 said enlargement treatment includes attestation 
of dispatch origin of said packet. 

[Claim 2l]A method according to claim 18 used for polish enforcement of said treatment. 
[Claim 22]A method according to claim 16 containing a step which uses a classification 
process as a firewall. 

[Claim 23]A method according to claim 1 of using a classification process for a 
classification of an application level. 

[Claim 24]A method according to claim 23 of using it for polish enforcement of a 
classification process. 

[Claim 25]A method according to claim 23 of using a classification process for a speed 
limit. 

[Claim 26]A method according to claim 23 of using a classification process for 
load-balancing-izing. 

[Claim 27]A method according to claim 1 of using it for traffic formation of a 
classification process. 

[Claim 28]Are a device which classifies a data packet and a data packet is received fi-om 
a physical network, A network interface device which passes this data packet to a root 
node of a sorting tree, and receives a data packet from said root node conversely, and 
transmits this data packet to said physical network. Until the 1st child node of the next 
tree level of a sorting tree shows that a node standard of this 1st child node is satisfied. 
In said following tree level, dehver a packet to a child node continuously from a child 
node, and until the 1st child node of the continuing following level stops satisfying a 
node standard of said 1st child node of said continxiing following level, A device 
containing a packet module which forms a data packet in a conformity packet. 
[Claim 29]The device according to claim 28 with which said some of devices are reaHzed 
as an accelerator chip. 

[Claim 30]The device according to claim 28 with which said device is used for a 
classification of an application level. 

[Claim 3l]The device according to daim 28 with which said device is used as a firewall. 
[Claim 32]The device according to daim 28 with which said device is used as a border 

server. 

[Claim 3 3] A way according to claim 2 said status directions are pm_t types. 

[Claim 34]It is a product containing a medium which has a program code means which 

can be computer read to classify a data packet, and which can be computer read, A 
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product in which said program code means which can be computer read contains in a 
computer a program code means which can be computer read to direct to perform a step 
of Claim 1. 

[Claim 35]The product according to claim 34 which said program code means which can 
be computer read directs adds at least 1 node to at least 1 level of a sorting tree 
dynamically to a computer. 

[Claim 36]It is a product containing a medium which has a program code means which 
can be computer read to classify a data packet, and which can be computer read, A 
product in which said program code means which can be computer read contains in a 
computer a program code means which can be computer read to direct to perform a step 
of Claim 8. 

[Claim 37]It is a product containing a medium which has a program code means which 
can be computer read to opt for treatment of a packet, and which can be computer read, 
A product in which said program code means which can be computer read contains in a 
computer a program code means which can be computer read to direct to perform a step 
of Claim 18. 

[Claim 38]It is a device characterized by comprising the following which classifies a 
data packet, and is a root node of a sorting tree. 
A means to receive a data packet. 

A means by which the 1st child node of the 1st tree level of said sorting tree delivers 
said data packet to each chQd of said 1st tree level continuously until it shows that a 
node standard of said 1st child node is satisfied. 

A step at which said 1st child forms said data packet in a conformity packet. 

A means by which the 1st child node of the following tree level in the continuing 

following level repeats delivery and a formation step to said following tree level until it 

stops satisfying a node standard of said 1st child node of said continuing following level. 

[Claim 39]A device which opts for treatment of a packet received in a child node, 

comprising: 

An interruption context of a control program in which said child node exists. 
An external process besides the range of an interruption context of said control program. 
The 1st treatment of said packet and this packet is passed to said external process, A 
means by which said interruption context receives said enlargement packet and said 
enlargement treatment from said external process including a means to make said 
external process enlarge packet treatment by use of a process specifying means, and to 
make an enlargement packet return to a child node together with enlargement 
treatment. 
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DETAILED DESCRIPTION 



[Detailed Description of the Invention] 
[0001] 

[Field of the InventionlEspedally this invention relates to the dassification and 
demultiplexing of a network communication packet which are processed within a 
network protocol stack about the field of packet communication. 
[0002] 

[Description of the Prior ArtjIn communication through a network, it is required that 
the information often transported to another computer from a certain computer should 
be divided into a network communication packet. These network communication 
packets are only called a "packet", and are transported via a physical commtmication 
network. 

[0003]By passing various software components, the information emitted from an 
apphcation program is packet'ized by the network communication packet, is passed to a 
Network Interface Card after that, and is transmitted on a physical communication 
network. These software components are hierarchized so that what is known as a 
network protocol stack may generally be formed. Each dass bears responsibility to the 
facet from which commimication differs. For example, a TCP/IP protocol stack is usually 
divided into four layers, i.e., a link layer, a network layer, the transport layer, and the 
apphcation layer. Drawing 1 shows the relation between a protocol layer and a TCP/IP 
protocol stack. The link layer 101 bears the responsibihty which arranges data on a 
physical network. The network layer 102 bears the responsibihty of routing, i.e., routing. 
The transport layer 103 bears the responsibility for communication between two hosts. 
The application layer 104 bears the responsibihty for processing of apphcation specific 
data. 

[0004]For example, drawing 2 shows the stage by which an HTTP request is 
encapsulated, before being transmitted to a Web server. When a demand descends a 
protocol stack, each class 201 thru/or 204 encapsulates a packet, and adds the header of 
itself. If a HTTP packet arrives at a destination address, each protocol layer wiU classify 
an ingress packet among all the protocols in the layer of a higher rank rather than it 
using the information in the header. Generally this process is called demultiplexing 
(false rumor RUCHIPU REXX). 

[0005]In each class in a network protocol stack, demultiplexing of the packet, i.e., "a 
classification", is carried out from the information in a packet's own data part based on 
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the information about the packet contained in a header. Based on the classification, 
packets differ and are processed. 

[0006]For example, drawing 3 shows signs that this classification is performed to 
ingress HTTP request 301. The Ethernet (registered trademark) driver 302 in the link 
layer 300 classifies a packet based on the frame type in an Ethernet header, and is it 
IPv4 in the network layer 310 It dehvers to 312. IPv4 Based on the IP header protocol 
value in an IP header, 312 classifies a packet and dehvers it to TCP323 in the transport 
layer 320. Based on the destination port number in a TCP header, TCP323 classifies a 
packet and dehvers it to HTTP server 332 in the apphcation layer 330. 
[0007]The conventional packet classification system seen by the firewall of BPF, DPF, 
Pathfinder, Router Plugins, an operating system, and many is restricted to the set of a 
fixed pattern-matching rule. This enables a user to monitor or process the arbitrary 
packets corresponding to the set (usually combine with IP as the protocol header fields, 
such as a sending agency / destination address, a protocol, or a sending agency / 
destination port) of the value of the request in a suitable byte range. Next, these packets 
are passed to a software module, and a software module processes a packet, and is 
changed, transmitted, removed or delayed in it. Generally, a prominent packet filtering 
system is based on apphcation traffic, and has the capabihty to generate and add a rule 
dynamically. However, such a system does not provide the simple method of extending 
packet processing so that he may understand a new apphcation protocol. 
[0008]A system fuUy functions to the apphcation which uses the single connection with 
a well-known destination address and port conventionally [ these ]. However, for a 
control session, many newest applications use a well-known service port for the 
beginning, and then use connection of the addition on a port number for it temporarily 
for each data stream. The examples of such apphcation are FTP, RealAudio (RealAudio), 
and H.323. In order to support such apphcations efficiently, the conventional system 
must enable dynamic and quick renewal of a packet matching filter rule. Some newest 
protocols have given up use of a fixed formatted header and the field of fixed size. For 
example, himian being enables it to read a header when HTTP encodes the header as a 
string. 
[0009] 

[Problem(s) to be Solved by the InventionjTherefore, the purpose of this invention is to 
provide bigger pUability in a classification and demultiplexing of the packet in a 
network protocol stack. As the result, this invention provides the classifying method of 
an apphcation level. This is based on the below-mentioned classification method and a 
modular structvire. 
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[OOlOlAnother purpose of this invention is to provide the easy extendibility of packet 
processing within a network protocol stack by defining the standard method of adding a 
function or a support new for a new protocol and apphcation. 

[OOlllAnother purpose of this invention is to provide the method and device which 
acquire external information from the application scheduled out of transmission of a 
kernel, or the range of an interruption context, in order to enlarge packet sorting or 
treatment. 
[0012] 

[Means for Solving the ProblemlWorking example of this invention is the method of 

classifying a data packet. This method is provided with the following. 
A step which receives a packet in a root node of a sorting tree. 

A step which delivers a packet to the 1st child node that suits a node standard of the 1st 
child node of the 1st tree level of a sorting tree . 

A step at which the 1st child node forms a data packet in a conformity packet. 
A step which repeats deUvery and a formation step to the following tree level until the 
1st child node of the next tree level of the continuing following level stops suiting a node 
standard of the 1st child node of the following tree level. 

[0013]In a part of working example, a step to deUver contains a step which performs a 
code set which returns status directions of a type, A step which shows conformity of a 
standard performs a code set which identifies a desired packet. Including a step which 
returns status directions, a step to which a step which forms a data packet in a 
conformity packet repeats delivery and formation including a step which shows 
conformity shows incongruent status directions, and contains a step to return. 
[0014]In a part of working example of this method, a new child node is the RealAudio 
node further including a step which adds at least one new child node. Or this method is 
extensible so that one or more nodes may be dynamically added in an optional label. A 
step which this method analyzes the syntax of a conformity packet again, and generates 
pertinent information, A step which changes a conformity packet into a conversion 
packet, a step which associates a packet in the 1st child node of the last which shows 
conformity, and a step which performs a code set according to the last child node [ 1st ] 
are included. Or a step which a step which forms a conformity packet specifies including 
a step which specifies a code set which the 1st child node continues and is performed 
specifies a code set performed following a classification. 

[0015]Another working example of this invention is the method of classifying a packet 
using an external process. This method is provided with the following. 
A step which postpones an on-going classification process to a packet. 

8 



A step which acquires external information used in a classification. 

This is performed by application schediiled out of transmission of a kernel, or the range 

of an interruption context. 

[0016]In a part of working example of this method, a step to postpone contains a step 
which queuing-izes data including information about a packet or its present sentences, 
and a step which transmits said data to application scheduled out of transmission of a 
kernel, or the range of an interruption context. 

[0017]In a part of working example of this method, a step which acquires external 
information contains a step which enlarges a node standard of a node in a sorting tree 
by additional information, A step which a classification process is an extensible 
classification chUd process (a process is extensible by adding a new child node in 1 
appUcation), and external information specifies including attestation of dispatch origin 
of a packet includes enforcement of a site polish. A site pohsh comprises the side in 
which a large number containing security differ. A security side of a site polish is based 
on packet sorting and certification information. 

[0018]Another mode of this invention is the method of opting for treatment of an 
original copy packet received in a child node. This method contains a step which 
delivers treatment of the beginning of an original copy packet and an original copy 
packet to an external process, A packet which an external process enlarged an original 
copy packet using a process specifying means, or enlarged the first treatment and was 
enlarged, and enlarged treatment are rettirned to a child node. In a part of working 
example of this method, enlarged treatment includes discernment or attestation of 
dispatch origin of said packet including a step which postpones an on-going treatment 
process to an original copy packet. 
[0019] 

[Embodiment of the InventioijThis invention is realizable as a combination of hardware, 
software or hardware, and software. In execution by the combination of hardware and 
software, the execution in the computer systems which have a predetermined program 
is mentioned as a typical example. In this case, by loading this predetermined program 
to these computer systems, and executing it, this program controls computer systems 
and performs processing concerning this invention. This program comprises an 
instruction group which can be expressed by arbitrary language, code, and notations. 
Such an instruction group makes it possible to perform the function that a system is 
specific, after conversion for a language, a code, and the notation besides direct or 1, the 
duplicate to a medium besides 2, ************** ^ or both sides are performed. Of course, 
this invention contains in the range not only a program such itseH but the medium 
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which recorded the program. The program for performing the function of this invention 
is storable in the recording medivim which can computer read [ arbitrary ] a floppy 
(registered trademark) disk, MO, CD-ROM, DVD, a hard disk drive, ROM, MRAM, 
RAM, etc. This program can be downloaded from other computer systems connected by 
a communication Hne for storing in a recording medium, or can be reproduced from 
other recording media. This program can be compressed, or can be divided into plurahty, 
and can also be stored in a single or multiple recording medium. 

[0020]A network protocol is divided into the layer which usually bears responsibility to 
the facet from which communication differs. For example, drawing 1 shows the network 
layer of a TCP/IP protocol. The related call graph created by the standard UNIX 
(registered trademark) protocol stack is constituted hke the tree described in relation to 
drawing 3 . Each wooden level corresponds to a different layer in a network protocol 
stack. This invention copies the call graph of a UNIX protocol stack, and composes a 
different module which competes a packet in IP layer within a tree structure. Here, a 
tree structure will be called a sorting tree. 

[0021] The example of the sorting tree 400 is shown in drawing 4 . Drawing 4 shows each 
node in a sorting tree as a separate module. Each node is constituted from four packet 
scanning functions (a matcher, a preprocessor, action, and post processor) and three 
node management functions (a call-back, a heartbeat, and management) by working 
example of this invention. Only the packet matching function to identify the packet 
which should be processed, and the packet action function to opt for packet treatment 
are required. A packet matching fimction is called the node standard of a node here. 
Default specification of the remaining scan and the controlling-function pointer is 
carried out at NULL. These functions related with each node are memorized by packet 
filter structure. 

[0022]Since each node is a separate module in which loading is dynamically possible, 
sorting tree composition is supple. In one working example of this invention, a module is 
loaded to a memory between initialization processes. Based on configuration 
information, a module is composed and a sorting tree is formed. Modular ordering is 
important and a packet scan is managed by this ordering. When a sorting tree is created, 
each node is initialized by performing a code set. In this working example, this code set 
is a function called a controlling function (mm). The input parameter to mm function is 
a single pointer which generally points to the buffer containing node specific 
constitution data. 

[0023]Drawing_4_is one example which shows the knitting method of the module in a 
sorting tree. IPv4 Each of 503, IPv6 504, UDP506, HTTP507, and TCP508 module 
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wishes the observation or change of a packet which uses the protocol used as the origin 
of those names. However, in this example, when you wish processing of an HTTP 
request, two or more methods can be visualized. Use of special TCP for offer of a HTTP 
proxy function transparent to these methods, and transaction TCP (T/TCP) like HTTP, 
The execution of fQtering of contents based on a site pohsh or the restriction of packet 
traffic based on service contract is included. A different module according to the purpose 
of using a sorting tree is loaded to a memory. A site pohsh comprises the side in which a 
large number containing security differ. The security side of a site polish is based on 
packet sorting and certification information. Completion of initialization may once 
change a sorting tree by adding, deleting or moving a node. This capability to change a 
sorting tree makes a packet classification process extensible. 

[0024]This invention contains the method of performing a packet classification process 
and the packet treatment process enlarged. The packet classified or enlarged is called 
an original copy packet here. The packet of a result is called an enlargement packet. 
The treatment of an original copy packet is called the 1st treatment here, and the 
treatment resulting from an enlargement treatment process is called enlargement 
treatment here. It is claimed that the thing besides transmission of a kernel or the 
range of an interruption context is external here. 

[0025]One working example has seven steps, in order to classify a packet and to opt for 
enlargement packet treatment. Especially these steps are contained in an interruption 
context xmless it annotates. Steps 1 thru/or 4 show the packet classification process 
shown in drawing 5 . Steps 5 thru/or 7 show enlargement of a packet treatment process. 
The flow chart of these seven steps is shown in drawing 6 . Drawing 5 and drawing 6 are 
referred to in the following explanation. 

[0026] Step l: A link layer dehvers a packet to the root node 502 after receiving a packet 
from a physical network. 

[0027]According to this step, a network driver receives a packet from a physical network, 
classifies a packet based on the frame type in a MAC header, and dehverS to the root 

node of a sorting tree at it. 

[0028]Step 2: A packet is passed to the 1st child node that satisfies the node standard of 
the child node of the 1st level 521 of a sorting tree. 

[0029]Aroot node asks whether a packet suits the node standard from the left to a child 
node at the right, and this is continued until the node standard of a child node is 
satisfied. Next, a root node dehvers a packet to the 1st child node that satisfies a node 
standard, and the 1st child node forms a data packet in a conformity packet. In drawing 
5, the root node 502 dehvers a packet to the IPv4 node 503 first. The node standard of a 
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child node contains the code set used in order to identify a desired packet. This code set 
is reahzed as a function called the packet matching function (pm) 603. 
[0030]The input parameters to pm function are PBUF, the operating system 
independent data structure containing a packet, an option memory field, and a pointer 
indicating a packet filter node. The result of a packet matching function shows 
conformity or the nonconformance of the node standard of a child node, and is a pm_t 
type. Drawing 7 eniunerates the examples of a group of the pm_t type return code value 
700. Match_OK, Match_This, Match_Discard, and Match_Forward are contained in the 
packet matching functional result which shows conformity of the node standard of a 
child node. The result which shows nonconformance is No_Match. 
[003l]A packet matching function like the simple thing which judges whether it agrees 
in static fixed offset like IPv4 node, FTP and RealAudio, and H.323, There is a 
compHcated thing which identifies the packet for the appHcation which negotiates for 
additional connection. Though regrettable, since each of such applications has an 
original method of negotiating for additional connection, an appHcation dependence 
node is required. This is shown by drawing 8 as H.323 (831), RealAudio 832, and 
FTP833. A dynamic filter rule is created to connection of each addition. Such dynamic 
filter rule and other state information about the connection for which it negotiated are 
locally memorized by the application particular node. In one working example, in order 
to memorize this data, hash table structure is used. Based on a weU-known service port 
and application specific data, a packet matching function identifies a desired packet and 
enables the classification of an application level. 

[0032]Step 3 : As Step 2 described, it starts from the 1st child node that suits the node 
standard of the 1st child node of the next tree level of a sorting tree, A "delivery of 
packet" process is repeated, a packet is formed in a conformity packet, and this 
processing is continued until neither of the children of the next tree level of a sorting 
tree stops suiting a node standard (No_Match). 

[G033]It is judged whether the next child exists (604). When it exists, a flow is continued 
to 601. When it does not exist, a flow is continued to 621. After the packet matching 
function of all the child nodes of the layer of the following tree finishes with an 
incongruent resvdt, it is said that the packet scanned the sorting tree thoroughly. A 
scanning path is defined as a node set to the 1st child node of the last which suits the 
node standard of a child node from a route. In this way, packet sorting is completed and 
a flow is continued to 621. 

[0034] Step 4: In each 1st child node, satisfaction of the node standard of a child node 
will form a data packet in a conformity packet. This is performed at Steps 4A, 4B, and 
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4C. 

[0035] Step 4A: The present node is added to a node scanning path (605). 
[0036]Step 4B: When a code set exists, a node performs a code set, and this analyzes the 
syntax of and changes a packet (607). A packet is analyzed [ the syntax of it ] and 
changed when a code set exists (617). When it does not exist, a flow is continued to 609. 
[0037]Once a node standard is satisfied, the scan of the packet of a sorting tree will be 
restricted to the posterity of a node. The remaining sorting trees are not scanned. 
However, before scanning the derivation tree of a node, a node may perform a code set. 
In this example, this code set is called a packet preprocessor function (pp). The input 
parameter is the same as the case of a packet matching function, and PBUF, the 
operating system independent data structure containing a packet, an option memory 
field, and the pointer indicating a packet filter node are contained in them. The return 
code of pp function is a pp_t type. Drawing 9 e numerates the examples of the pp_t type 
return code value 900. A packet preprocessor function performs actions, such as syntax 
analysis of a packet, and conversion of a packet. Information usable for the posterity 
and ancestor of a node is generated by syntax analysis of a packet. Conversion of a 
packet is generated when the preprocessor of an IPSec node changes an encryption 
packet into a decipherment packet, for example. IPSec tunnel information and other 
information are generated, and these may be used by other nodes in a sorting tree. 
[0038]Thus, this invention provides the general-purpose mechanism which saves state 
information with the mechanism called option transmission (options passing) here, or is 
transmitted between nodes. In the example of option transmission, an option memory 
segment is connected to a packet between the tree scans of each packet. Each node uses 
API, i.e., fw_add_option, and fw_next_option, and memorizes and searches a state. 
Since the node may be unable to understand aU the options passed to it, the option 
which can understand self is processed and the option which cannot be understood is 
disregarded. 

[0039]Step 4C: By postponing a classification process, a node acquires additional 
external information and enlarges packet sorting and demultiplexing again. 
[0040]Adjournment of a classification process includes arbitrary queuing-izing of data 
including a packet or the information about the present classification, and the data 
transfer to the apphcation scheduled out of transmission of a kernel, or the range of an 
interruption context. 

[004l]In one working example, packet sorting is enlarged by postponing a packet 
classification process until the apphcation scheduled out of transmission of a kernel or 
the range of an interruption context is completed. The external information of a result is 



13 



used in order to enlarge packet sorting. 

[0042]A packet discernment agent and a packet certifying agent are contained in the 
example of the apphcation which enlarges packet sorting. Discernment/certifying agent 
uses s/ident for discernment out of band and attestation. Attestation uses s/ident for 
attestation out of band, and is correlation attachment ** to user ID about a packet. At 
another example of attestation, it is correlation attachment ** to user ID about VPN 
tunnel ID. 

[0043]External information, such as packet discernment or attestation, makes it 
possible to differ and to process a packet. For example, the site connected to the Internet 
will assume that bandwidth restriction is carried out strictly. As a result, only a number 
of employees restricted to arbitrary moments can perform apphcation which has the 
high bandwidth demand of streaming of data, etc., for example. Based on external 
information, the site polish which takes preferential treatment against employees' set is 
reahzed. 

[0044]Step 5: The code set related with the child node of the last which satisfies a node 
standard is performed after completing packet sorting. 

[0045]In one working example, this code set is called a packet action function (pa). 
Packet action input parameters are PBUF, a pointer indicating a node, a pointer 
indicating a node scanning path, and an option memory field. The return code of pa 
function is a paction_t type, and those examples are shown in drawing 10 as 1000. The 
return code gained opts for packet treatment. 

[0046]Usually, the packet action function 621 monitors packet data, and acquires the 
state information of apphcation specification used by other node functions. For example, 
the packet action function to have the knowledge of apphcation specification can 
monitor packet data for the data connection for which it newly negotiates. Such new 
dynamic connection is locally memorized by the apphcation particular node. A packet 
matching function uses dynamic data as a part of node standard for the packet sorting 
of an application level. 

[0047]For other examples of the use of a packet action function. Specification change of 
the packet used for removal of the packet used for queuing-izing of the packet used in 
order to form change of the packet used in order to realize NAT, and traffic, and a speed 
limit, and load-balancing-izing is included. 

[0048]A packet action function postpones kernel packet processing, and transmits 
arbitrary data (the information about a packet or its classification is included) to the 
apphcation scheduled out of transmission of a kernel, or the range of an interruption 
context again. External information is acquired in order to enlarge packet treatment 
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(namely, abandonment, transmission, local processing, or specification change) 
determination (631). Adjournment of a packet treatment determination process 
includes transmitting data to application using the process specifying means scheduled 
out of arbitrary queuing-izing of data including the information about a packet or its 
classification, transmission of a kernel, or the range of an interruption context. 
[0049]In one example of the method of enlarging packet treatment determination, a 
packet treatment determination process on-going [ arbitrary ] is postponed until the 
application scheduled out of transmission of a kernel or the range of an interruption 
context is completed. It is used in order that the external information of a result may 
enlarge packet treatment determination. The poHsh enforcement agent and 
content-filtering agent based on the arbitrary combination of packet sorting, 
discernment, and attestation are contained in the example of the appUcation which 
enlarges packet treatment determination, s/identd and an external LDAP server are 
contained in the example of a process specifying means. 

[0050]Once application is completed, application will deliver original data, external 
information, and a resiolt to a kernel, and a kernel will pubhsh a call to the callback 
feature of a node. In the node which postponed processing, a callback feature (cb) carries 
out reinsertion of the packet. A djmamic rule is generated based on the result of 
appUcation (621). 

[005l]For example, especially an advantageous use is concerned with a VPN tvinnel. A 
di£ferent polish based on a VPN call destination can enforce using a dynamic rule. 
These rules are not restricted to fixed pattern matching of a protocol etc. any longer, but 
are created from the standpoint of appUcation by the classification of an appUcation 
level. The example of the rule of an appUcation level is "permitting John Doe 
RealAudio." The rule of an appUcation level simplifies a firewall rule definition in 
firewall appUcation again. 

[0052]Step 6: The code set related with each node after completion of the code set (called 
a packet action code) related with the child node of the last which satisfies a node 
standard, and within a node scanning path is performed (623). 

[0053]ln this example, this code set is caUed the packet post processor function (px) 625. 
Packet post-processing input parameters are PBUF, an option memory field, and packet 
action treatment. The retiurn code of px function is a paction_t type. A paction_t type 
example is enumerated and shown in drawing 10 . 

[0054]As packet pretreatment decodes a packet, packet post-processing performs 
actions, such as encryption of a packet (627). When a packet scans a sorting tree first, a 
node scanning path is created, node scanning order reverse before returning to a basic 
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operating system - the occasion " packet post-processing is performed. 
[0055]Usually, packet treatment is maintained through post-processing. In the case of 
an abnormal condition, it restricts, and post-processing is not performed after 
recommendation packet action and pre- post-processing treatment. For example, the 
outbound txmnel may be destroyed by the VPN timnel between sorting tree scans. 
[0056]Step 7: Control returns to a basic operating system after completion of packet 
processing, and this processes a packet on abandonment, transmission, specification 
change, or a partial target based on the last treatment (633). 

[0057] Drawing 11 shows working example of this invention as a device which classifies 
or enlarges the treatment of a data packet. Including the network interface device 1101, 
this receives a packet from a physical network, and a device passes a packet to the root 
node of a sorting tree, and receives a packet from a root node conversely, and transmits 
a packet to a physical network. As for a device, this delivers a packet to a child node 
continuously from the child node on each tree level including the packet module 1103 
further, and this delivery is continued until it shows that the 1st child node of the tree 
level of a sorting tree satisfies the node standard of that 1st child node. The 1st child 
node forms a data packet in a conformity packet until the 1st child node of the following 
level throat in the continuing following level also stops satisfying the node standard of 
the 1st child node of the following level. 

[0058]An accelerator chip may be used in order to realize the packet module 1103. This 
chip may be used as a classification system of an application level which is needed as 
the foundation of a firewall box or a border server when diagnosing a high-speed 
network problem. 

[0059] Working example of other devices of this invention may be reahzed by the person 
skilled in the art by a known method. For example, this invention is realized using the 
device which classifies a data packet. In the root node of a sorting tree, the 1st child 
node of a means to receive a data packet, and the 1st tree level of a sorting tree until 
this device shows that the node standard of said 1st child node is satisfied, A means by 
which a data packet is continuously delivered to each child of the 1st tree level, and the 
1st child node forms said data packet in a conformity packet, The 1st child node of said 
next tree level throat of the continuing following level also contains the means which 
repeats delivery and a formation step to the following tree level until it stops showing 
that the node standard of said 1st child node of said contintiing following level is 
satisfied. For example, this device takes the gestalt of a floppy disk or a hard disk, a 
flash memory, or an outside magnetism medium. 

[0060]Another working example of this invention is a device which opts for the 
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treatment of the packet received in a child node. This device is provided with the 
following. 

The interruption context of a control program which a child node interrupts and exists 
in a context. 

The external process besides the range of the interruption context of a control program. 
A means for the 1st treatment of said packet and this packet to be deHvered to an 
external process, and for an external process to enlarge packet treatment using a 
process specifying means, and to return an enlargement packet to a child node together 
with enlargement treatment. 

The interruption context containing a means to receive an enlargement packet and 
enlargement treatment from an external process. 

This device is a gestalt of a hard disk, a floppy disk, or an outside magnetism medium. A 
control program is realized as software which manages the example of a device. 
[006l]This invention is reahzed by the combination of hardware, software or hardware, 
and software. It reahzes in concentration form within 1 computer systems, or this 
invention may be realized also by the scatter format in which a different element 
spreads over two or more computer systems by which interconnection is carried out. It 
is usable in any kinds of computer systems, or other devices by which adaptation was 
carried out so that the method described here might be reaUzed. A typical combination 
of hardware and software, It is a general computer system which has a computer 
program, and a computer program is loaded, and if it performs, a computer program wUl 
control computer systems there and will perform there the method described here. This 
invention may be embedded in a computer program product again. In this case, 
including aU the features which enable reaUzation of the method described here, a 
computer program product is loaded to computer systems, and performs these methods. 
[0062]Here, a computer program means or a computer program, or [ that an instruction 
set makes the system which has information processing ability perform a specific 
fvmction directly here by meaning the arbitrary expressions of an instruction set by 
arbitrary languages, a code, or notation ] - or, l) Make it perform after either the 
conversion to another language, a code, or notation and a duphcate with a material 
gestalt different two and both. 

[0063]The above-mentioned explanation describes the purpose of this invention, and 
some outhnes of working example. In the concept of this invention, it is usable to many 
apphcations. Therefore, although the above-mentioned explanation describes specific 
composition and method, the meaning and the concept of this invention are appHcable 
also to other composition and apphcations. For example, although reference was made 
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about the data packet, this invention is applicable also like a non-data packet. Probably, 
it will be clear for other change of working example indicated here to be possible, 
without swerving from the meaning and the range of this invention, if it is a person 
skilled in the art. Working example described here therefore, by having only expressed 
some of the features and appHcations with which this invention is only prominent, and 
applying indicated this invention in a different mode. Or by changing this invention into 
a person skilled in the art by a known method, it will be that other useful advantages 
are reahzed. Therefore, it is SEiid again that working example described here is not what 
was only provided as one example and restricts this invention. 

[0064]As a conclusion, the following matters are indicated about the composition of this 
invention. 

[0065](l) In [ are the method of classifying a data packet and ] the root node of a sorting 
tree, Until the 1st child of the 1st tree level of said sorting tree indicates it to be a step 
which receives a data packet to satisfy said 1st child's node standard, The step which 
deUvers said data packet to each child of said 1st tree level continuously, UntU the 1st 
child of the following tree level in the step at which said 1st child forms said data packet 
in a conformity packet, and the continuing following level stops satisfying the node 
standard of said 1st child of said following tree level. How to contain the step which 
repeats dehveiy and a formation step to said following tree level. 

(2) The method of the aforementioned (l) description that said step to deliver contains 
the step which performs the code set which returns status directions. 

(3) The method of the aforementioned (l) description that said step to form contains the 
step as which said 1st child specifies the code set performed succeedingly. 

(4) The method of the aforementioned (3) description that said step to specify contains 
the step which specifies the code set performed following satisfaction. 

(5) The method of the aforementioned (l) description containing the step which adds at 
least 1 node to at least 1 level of said sorting tree dynamically. 

(6) The method of the aforementioned (5) description that said at least one new child 
node is the RealAudio node. 

(7) How to be the method of classifying a packet and contain the step which postpones 
an on-going packet classification process to said packet, and the step which acquires the 
external information used in said classification. 

(8) The method of the aforementioned (7) description that said step to gain contains the 
step which enlarges the node standard of the node in a sorting tree by said external 
information. 

(9) The method of the aforementioned (8) description that said external information 
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includes discernment of the dispatch origin of said packet. 

(10) The method of the aforementioned (8) description that said external information 
includes attestation of the dispatch origin of said packet. 

(11) The method of the aforementioned (7) description which is a classification child 
process with an extensible classification process. 

(12) The method of the aforementioned (l) description which analyzes the syntax of said 
conformity packet and contains the step which generates pertinent information. 

(13) The method of the aforementioned (l) description containing the step which 
changes said conformity packet into a conversion packet. 

(14) The method of the aforementioned (l) description containing the step which relates 
said packet with the last child [ 1st ] who shows satisfaction. 

(15) The method of the aforementioned (14) description which contains the step which 
performs a code set according to the 1st child of said last. 

(16) The method of the aforementioned (l) description containing the step which opts for 
the treatment of said data packet. 

(17) The step which is the method of opting for the treatment of the packet received in 
the child node, and passes the 1st treatment of said packet and this packet to an 
external process, A way said external process contains the step which enlarges packet 
treatment, and the step which returns an enlargement packet and enlargement 
treatment to said child node using the means of process specification. 

(18) The method of the aforementioned (17) description containing the step which 
postpones an on-going treatment process to said packet. 

(19) The method of the aforementioned (18) description that said enlargement 
treatment includes discernment of the dispatch origin of said packet. 

(20) The method of the aforementioned (18) description that said enlargement 
treatment includes attestation of the dispatch origin of said packet. 

(21) The method of the aforementioned (18) description used for poHsh enforcement of 
said treatment. 

(22) The method of the aforementioned (16) description containing the step which uses a 
classification process as a firewall. 

(23) The method of the aforementioned (l) description which uses a classification 
process for the classification of an application level. 

(24) The method of the aforementioned (23) description used for pohsh enforcement of a 
classification process. 

(25) The method of the aforementioned (23) description which uses a classification 
process for a speed limit. 
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(26) The method of the aforementioned (23) description which uses a classification 
process for load-balancing-izing. 

(27) The method of the aforementioned (l) description used for traffic formation of a 
classification process. 

(28) Are a device which classifies a data packet and a data packet is received firom a 
physical network, A network interface device which passes this data packet to the root 
node of a sorting tree, and receives a data packet from said root node conversely, and 
transmits this data packet to said physical network. Until the 1st child node of the next 
tree level of a sorting tree shows that the node standard of this 1st child node is satisfied, 
In said following tree level, deliver a packet to a child node continuously from a child 
node, and until the 1st child node of the continuing following level stops satisfying the 
node standard of said 1st child node of said continuing following level, A device 
containing the packet module which forms a data packet in a conformity packet. 

(29) A device of the aforementioned (28) description with which said some of devices are 
realized as an accelerator chip. 

(30) A device of the aforementioned (28) description with which said device is used for 
the classification of an application level. 

(31) A device of the aforementioned (28) description with which said device is used as a 
firewall. 

(32) A device of the aforementioned (28) description with which said device is used as a 
border server. 

(33) The method of the aforementioned (2) description that said status directions are 
pm_t types. 

(34) It is a product containing the medium which has a program code means which can 
be computer read to classify a data packet, and which can be computer read. The 
product in which said program code means which can be computer read contains in a 
computer a program code means which can be computer read to direct to perform the 
step of the above (l). 

(35) The product of the aforementioned (34) description which said program code means 
which can be computer read directs adds at least 1 node to at least 1 level of a sorting 

tree dynamically to a computer. 

(36) It is a product containing the medium which has a program code means which can 
be computer read to classify a data packet, and which can be computer read, The 
product in which said program code means which can be computer read contains in a 
computer a program code means which can be computer read to direct to perform the 
step of the above (8). 



20 



(37) It is a product containing the medium which has a program code means which can 
be computer read to opt for the treatment of a packet, and which can be computer read. 
The product in which said program code means which can be computer read contains in 
a computer a program code means which can be computer read to direct to perform the 
step of the above (18). 

(38) In [ are a device which classifies a data packet and ] the root node of a sorting tree, 
Until the 1st child node of a means to receive a data packet, and the 1st tree level of said 
sorting tree shows that the node standard of said 1st child node is satisfied, A means to 
dehver said data packet to each child of said 1st tree level continuously, Until the 1st 
child node of the following tree level in the step at which said 1st child forms said data 
packet in a conformity packet, and the continuing following level stops satisfying the 
node standard of said 1st child node of said continuing following level, A device which 
contains the means which repeats dehvery and a formation step to said following tree 
level. 

(39) The interruption context of a control program in which it is a device which opts for 
the treatment of the packet received in a child node, and said child node exists, The 
external process besides the range of the interruption context of said control program. 
The 1st treatment of said packet and this packet is passed to said external process, A 
device which contains a means by which said interruption context receives said 
enlargement packet and said enlargement treatment from said external process, 
including a means to make said external process enlarge packet treatment by use of a 
process specifying means, and to make an enlargement packet return to a child node 
together with enlargement treatment. 



DESCRIPTION OF DRAWINGS 



[Brief Description of the Drawings] 

rPrawing l] It is a figure showing the relation between a protocol layer and a TCP/IP 

protocol stack. 

rDrawing 2] Before being transmitted to a Web server, it is a figure showing the stage by 
which an HTTP request is encapsulated. 

[Drawing 3] It is a figure showing signs that a classification is performed to an ingress 
HTTP request. 

[Drawing 4] It is a figure showing one example of the knitting method of the module in a 
sorting tree according to this invention. 

[Drawing 5] It is a figure showing one example of the packet sorting and the 



21 



demultiplexing process of classifying a packet according to this invention. 

[Drawing 6l lt is a figure showing one example of a step which opts for packet treatment 

according to this invention. 

[Drawing 7] It is a figure showing one according to this invention of pm_t return code. 
[Drawing 8]I t is a figure showing one example of the apphcation dependence node 
according to this invention. 

[Drawing 9] It is a figure showing one according to this invention of pp_t return code. 
[Drawing lOl It is a figure showing one according to this invention of paction_t retxjrn 
code. 

[Drawing ll] It is a figure showing one according to this invention of a device. 
[Description of Notations] 

101, 300 link layers 

102, 310 network layers 

103, the 320 transport layer 

104, the 330 application layers 

301 Ingress HTTP request 

302 Ethernet driver 
312 IPv4 

323 TCP 

332 HTTP server 

502 Root node 

503 IPv4 

504 IPv6 

506 UDP 

507 HTTP 

508 TCP 

521 The 1st level 

603 Packet matching function (pm) 
621 Packet action function 
700 pm_t type return code value 

831 H.323 

832 RealAudio 

833 FTP 

900 pp_t type return code value 
1101 Network interface device 
1103 Packet module 
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* NOTICES * 

JPO and INPIT are not responsible for any 
damages caused by the use of this transiation. 

1. This document has been translated by computer. So the translation may not reflect 
the original precisely. 

2. **** shows the word which can not be translated. 
3.1n the drawings, any words are not translated. 
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[0 0 0 4] (i^j^ff. m\t. 

H T T PS«*^'>!jy-fe;Wb$n?)XT-v>'* 

S2 0 i;^S2 0 43bV'?':r7F*A^-fe;Wku ^ng 

#©^7^*lilPt5o HTTP^^')-7F*m7Flx 
XCiMfSi:. ^>^nFa;F®)b^^©'N7^rt©1fffi 
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[0 0 0 5] ^^-yhU-^ ■'/u}-:^)]/' x^y^p^o) 

[0 0 0 6] ^!|x.fl 03tt. dO^WAJfeHTTP 

S5t<3 0 1 KMbrmnnm^^^^to v y^ss 
oom^-^^-yh (mm) ■ k5^/'^3 0 2 

•cJt/^'ir';; v^mu ^■n*:?^-^ hy-^/ss 1 ort 

©IPv4 31 2 tWMto IPv4 3 1 2tt, 

I p^<>^?*rtoi P'N7^-ynh3;Pfil{i:t.t^t> 

^^-^-^h^^^fflU *n*h^>7,/}<-M3 2 0|^® 
T C P 3 2 3 tgitigto TCP 3 2 3tt. TCP^7 

^n?rTyU^-i/3:yl3 3 OrtCiHTTP-ft-M'3 
3 2 tgitSto 

[0007] BPF. DPF. Pathfinder. Router Plu 
gins, if^Xy-T^yf '\/7sTh'm3§'<.<Jil7-<7 

h (It, ipt, m7t/m7\^u7.s fuh=iji 

y-hyy^yi'ic^t-^^. mwimmc^mm 

[0 0 0 8] ;:np.cDf^f*'>;^-fi.{i, Mm^9c7 K 

mm7yv ^-'y a Si?]t W-b 7 3 ycD/c 

^mt^o L.^Lfc7y')'T-iyaymU. FT 
P, ';7;b-:t-7-'i';i- (Real Audio) , RtfH. 3 2 

3T'feSo <:np.©7:/';'>-— >3y*5?6$W{c-9-jj?- 
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ffl%Bf:l:LTi>5o ^{f, HTTPti. ^■0'\7^* 
X h U y^i^fc LTxya- Kt5 <i t J; t) AF^A^'n-)' 

[0009] 

{i, ^^7 yy-^ • 7p hn;!/- ;^^7^rtO''^^7 h 

t^ciifs^Sc, ^o^atLT. mmii7yu'r- 

[0010] *|gHJ©SiJ©Sm, irrc=5:yn 

t/7:/U':r-$/3 y(Dm{c^ mcrMmttcmf^- 
h rmtmmmm^mt^ c ii j; d , * 7 
b7-^.7'Db=i;i/-x^7^'rtm y^':r7hsaa 

[0011] St*fgf3MJ©gm. ^^^7 
3j.ayf^7.\'<omm^r'X^i^a.~j\/-^iH^7'/V^ 

[00 12] 

7yt, ^■^'b-7 h^^m^m 1 ©^p'^;!/®^ 1 ©? 
i[-rxT7yfc, ^KD^y-hW-^j •/■?';r7h* 

Ji^/-?'>-7 FKfl^fi)t-r-5XT7yt, ^<^©P'^;KD 
i^cD*l/'^;l/©^ 1 FA\ 1 

[0 0 13] -gpo^WT-tt, gttitTXr-vy*\ 
^^7'©Xr-^X}i3^^jg»-r53-F • -^7 

mio^^^y F*i§8S'J1-53- F • -^7 F^^trU X 
T-:JfX}§S^*jga'r5X-f«yy*#*, r-^-^'^')- 

Xr7:/*^*, §ltffiLJ!:t;}gfiK^^0JItXr7y 

[0 0 14] Mt, '>iS:< 

tfc l'Q(0|lT/c*?y-F^MAnt§XT7y«:t^^. 
ii/c=S:^/-FA^~'J7;l/ • t~T^t • y-F-p$§o 

^i^tt, io«±©y-F*^~ffiMb'^;i/{-*3 
T-yyt. m^^^tmmm 1 f^^si^t^^ 



(5) 
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y 7 hmmmf^7.7-yft. i f 
[0 0 15] mmmimmma. ;^gi5yn-b7,^ffl 

7 FK^^bTllT*©^^Syn-tX*Mffl-r?.Xx7y 
i:> 53^®(i:fcv^Tliffl«ns^1.g|51f^^ltfrsxr7 lo 

[0 0 16] *^j*©-g|50||lffi«»jT*tt. mmt^xT 

r-^%!t-&!TmtS;^T7yii. msif-^^s fi 

[0 0 17] iftm-w>(omm^i. m'^mm. 20 
tfr5xr7/A^ mm<Dy'-Yny>-Ym$m 

m=fyxi^7.x'h K) ( 1 7f^} T-'y^ yr-tt, 
ft^z-F^iiiD-rscttd;!?, :/o-b;^*m3iRr 

[0 0 18] ?y-F(cfcV^TS 30 

5gM7t©lSiJtfc{ii!tiE*^tfc 40 
[0 0 19] 

"i/xr. t/ta^N-F'>x7Stfy7h'i7x7(Dffl*^ 

^^-titLTHIMtlT-^So M-F'>x7i:V7b>>x 
7©ffl*^^t3-ii}i:J;§||fTtfcl^T. Rlf^oyn^^A 

^^^nyi^a-^ • i/;^TAKa-F*nSltT^nS£i 
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yh\i. mmm • n-F • stefCcfcoTg^Brie^ 

*W£©iitE^Es> Sifefi 1 ) mm • 3- F • a 
la'Nom 2) fa©!«ft'\©m (Di^-fn*^-7^t, 

(DX&^o t-&5A.. *5g0^tt. ^©d;5*/D^"^i» 

i^^Aa, 7n7l^- (Igfg^i) -rVT.^. MO. 
CD-ROM. DVD. A-F-rfX^m RO 
M. MR AM. RAM#Offia03yt?a-^gg5J'9Bl 

ftfiflorjye^i-^f • i/XrA*^e.^':7>D-FLrct). 

[0020] #^7hy-^-yah3;i/ait. mm 

&mi. llttTCP/I pyoH3;V0^^7F7-^ 

^yi'lc^^m^nm'M::i-Jl • 'ifyyit. mat 

a. ^7Fy-^-ynFa;l/.x^7^(^Og&Sl 
t^tfStSo *^BB{iUNlxynF3;I/-X^'7i'<0 

[002 1] ^^S7|^4 0 0®m 0 4t^$n§o 0 
•To *^fiO^WT:1i. §y-F*M-3CD^^'>-7 

mm (^7f-v. ^'jyD-t7-9-. 7^>^3>. St; 

fs7.h ■■fo-ii'y^) t. Socoy-FtaK (n- 

5o ffla-r'^t/^'>-7 h^i!»j-rs/-?')-7 h • -^y^y 
5o ^y-Ftijimj-?,nscnp.<DM{i. /'^^7 

F •7'f;V^t)fi{i:f21i^n5„ 

[0 0 2 2] mmmmtu- mm^^^'J 

;l/*^^fi!cSnT. ^^**JBfi!ct5„ tv^'a-;!/©)!/? 

mtiiST'St), (Komnmcjt^^^^^y F44*^ 

Sa^nSo :5^^*WfiK^n5tt. a-F • -^7 f 
Wm\i. i:03-F--tr7FtttaM (mm) m 
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^mtim-^^o IPv4 50 3. IPv6 50 
4. UDP506, HTTP507. RtfTC P 5 0 8 

<D^at{±. iifl^^H T T p yn+i/«tg©m H 

TTPiD.fca^h^yif^v'a^TCP (T/TCP) 

[0 0 2 4] ^^^7 vm-f^^xmm 

[0 0 2 5] immt. j^'ryh^mu m^^'r 

[0 0 2 6] Xt7:^1 : !t^a^7 h^-i'Jb^f.Z^'^-'y 

'J >^'H*V^'>-7 h*;!/- H • /- F 5 0 

2{c§tM-r„ 

[0 0 2 7] i:(D7,T7 7°Ttt> ^-7 F7-^ • F>"f' 

^MAC'N7^"rt07U-i. • ^J'-rytfefc-i^l^T^^li 

[0 0 2 8] XT7y2 : f^'T^y Y1i\ m-^^W^ 
'^;I/5 2 1 ©?7- F©y- KS^^HJitS^ 1 
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[0 0 2 9] ;l/-F-7-F{i, ?7-Ft*fLTtA^ 

i:ntt?7-F©y-F*¥*^i«s?na 

$T'8i|g*n5o :>:fi:;V-F •y-F*V-^^.yF*. 7 
-FS*P«St5^©^ 1 cD?7- KtglJ-jgL. ^ 
1 ®?7- K*^r-^ • ^^-^-7 h*®^/-^'>-7 Kcjgfig 
■rSo 05T'a. ;U-F • 7-F5 0 2A^lia{i:y^'>-7 
I P V 4 7- F 5 0 3 {zmmto ?7- F®7- 

3-F--b7F*^tyo i:03-F--b7Fa. /•^':r7 

F • -^^y^ymm (pm) 6 0 3 tiftfnsitgt l 
[0 0 3 0] pniffi^'\oA;^]z^7P<-^'a. pbu 

F, z^':r7 F^^tyt'^U-r^ • i/T.rL'm.T 

-m^. tfv^ y ' p<tum Rt>v^^7 F • 7 

• 7-F*}tL^-r2K^^^^T'$So ^^^^7 F • 

^vi-ym^mm. ?7-F©7-Fa?p©i^ 

p m_ t 7H "9 3- Ft 7 0 0 (D^";U-y^J«-?lJ^ 
t-So -T7-F07-FS?P©^^^Stz^'>-7 F • V 
7f-yyift^lSI8ttt. Match_OK. Match_This. Match_ 
Discard. Sy'Match_FonvardA"i#*n5„ ^JS^^/j^-T 
ISIia. No_MatchT'$§o 

[0 0 3 1] z1':r7F •V7^>'yif^{i. IPv47 

m-^mwtmmri^(ot. ftp. u7;i/-^-r 

RtfH. 3 2 3^if<DJ;5{i:. liraoS^5r9f1ff 
•r57:/U';r-i/3y€>fei6©/'?'5r7 F^HJS'J-rs^ 

<DX\ 7~f')'r~'yBymy~Yifm.t^^. 

ttllSTa. H. 3 2 3 (8 3 1 ). U7;l/-:t-rV 
t8 3 2. &t;FTP 8 3 3 i:LT^$n5o ^jiilDO 

g^{c*tLTijW7^';v^'SiJAMMsn§o »?ti 
fcS^tcMtS. (:n5.©i)W7'r>'l/^^iiiJSmte'D^^ 
«Sff Sfi. 7 T'U ^-i^ a >#S7 - Ffcime^IfcfEli 

7^>a • r-:7;b«i3fi%ffiffl-r5o mm-MT. • 

-FRtf7y'J'!r-i/3:/1tSr-^fi:t,t-:Jt. 

7 F • ^^yi-ymm.mm<DA^'y F^iisyt. jf 

[0 0 3 2] Xt77'3 : XT-y/ZV^^^tcJi^^K. 
j^m^(D:k<D:^]y^)\y<D^ l 0?7- F©7- FS^t 
l^t^^l 0?7-F*^5P?f1teLT. 'V-^':r7 h®S 
t«U"/D-bXJ&Si?5ML. /1>:r7F*ii^z^'>-7F 

?fe7-FS*Ptl^L*<%§S-e (Nojatch) 

[0 0 3 3] :>:o?)!)«-r5!!)^s*^*^'*iM^?n§ (6 
0 4) „ mt^^^s 7n-a6 0 1 mmt^o # 
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mKm^t^mm^ i o?/- v^<o/- f • -t-y h 

n-fi6 2 HzMMt?). 

[0 0 3 4] Xr-;'y4 : l(D?y-FtfcW. 
Vm^^^'ry YKB^t^o LmT^r-y^^k. 4 10 
[0 0 3 5] Xt7:/4 A ::i/-F!!)V-F^S^K 

{ciiin^ns (eos) o 

[0 0 3 6] Xr7/4B : 3- F • -b'V F*^1?ftt5 

h*M?^/TU ^^1-5 (6 0 7) o n-F'-tr^F 

(6 1 7) „ ^Sb^v^ii^, 7P-{i6 0 9{i:|Kli-r 

[0 0 3 7] -s/-FS^?bW*ni)i:^ 20 
^'^'Ir-y hcD7&SJi/-FO?^{i:M*n«o ^OO:^' 

^S•rst^it^ y-Ftt3-F'-b7F%^tftTtck 
i\ i:©3-F • -t^ Fa/^-Ir^ F • ^ 

U^n-lr-yU-atg (pp) fcSSnSo A:^^^7;<-:5' 

{i^^y>yF-v75^y^a^©l^tifiii;-p*o, ?-n 
BUF, ^^'^--y h^^tyt^l^-T-f y^^- 

f^fT^y h • 7t';u^ • y-F^^gb^■r^K'1'y^f*m 

nSo pplBg<Dl^)3-Ftt> pp_t^l'/T'« 30 
So 09tt. pp_t^''ryM'9n-Ft9 0 0OM% 
5?iJ^t-i>o ^^^7F • yuyn-b7-9-ffit6a> ^■^'!r7F 

?,o ^■^'^r^ ^O^i3SC^»WcJ;^), y-F«?^>Sl/5feffl 

{±. «IJ^tf I P S e c FO/U :/n't y U-A^m^fb 

p s e c hy^^;Hf$sRt;ffi©if^*^4^S5n, (in?. 

A^'^'^i^rtcffio/- Ftn J; t)ffiffl^n#5o 
[0 0 3 8] iKDJ;^^. imm\t7LZ.Xm-fi/ay 40 

feJM (options passing) tif ^'a^Ccfc D^^llf^S* 

■fi^ay • ytu ■ -b^~p<yFAV-^':r7 

So ^y-FttAP I, •r*b-^fw_add_optionSt>'fw_ 
nexLoption^ffll^Tm^^tEHRt/^f^-rSo /- F 

mmxtii.\^f:fyBy^mMt^<. 

[0 0 3 9] Xr7:/4C : y-F^iSfc^ 50 
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[0 0 4 0] ^jWo-bXOWi. FSfctt^ 

i}-^^)i(Dm^rcm}h3).ayT^xvmm9\- 
[0 0 4 1] ;?3-^>;vo^5MSfca|ijjA 

[0 0 4 2] /■?';r7F^S^iiffi-rS7y';^-v/3y 

x-^^x y F m^n^o mw\/ms.3^-'yx y v ti> 

a-^f I DCfflMiifltSo llfliEOS'J©e!lT'{*, V P N F 

[0 0 4 3] ;^'^7 FisSiJSfdiiI|i^i;©^milS 

xfi ^y^-?^7 Ftg^^ns-9-^hA\ mmz^ 
m&M^nr\.'^tmbi:oo ^©ism. ft*©li 

[0 0 4 4] Xr7/5 : ^^>>-7 F^li*''^?^, 

FS**«£■rsgt©?/-F{cM^^^f^^5.ns3- 

F--b7F*^llfT*nSo 

[0 0 4 5] m^Tii. i:©3-F--b7K4^'^^ 

yv - j^y^yw^ (pa) tt^^nSo ^^':r7F • 

7^''>3yAtl^^7;^-^a^ PBUF. y-F^Jlb 

^•r4-^^y^'^ /-F^s^^^^lts^■r=^<1'y^^ & 

Ftipactlon_t^^yT'fet), ^n^CWI^l Ot 1 

oootLT/TN^nsc mn-^mm^^-Yif^'^'ry 
[0 0 4 6] It, F • j^'ynymmQ 2 1 1± 
mtn^7-f^)'r-y3ym(ommmmt^. 

7yU':r-i/3 yilfS©Slil*Wt5>'^'>-7 F 

fete. ^-^-^-^F •r-^^tJr^^'tSilt^^'-e^So il 
nf)©iTfc*l!)Wg^tt^ 7yU^-i/3y#Jgy-F 

t^fffwtiHiisnso /^'>-7 F • -ry^ymmm 

ff^T-'^^s T'fV^-yn y ' U^)\y(D/^^y h^M 
©/ca6©y- FS¥©-^i: Lxmt^. 

[0 0 4 7] /•^'ir-y F • 7^'S'3 ymmmmmm 
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[0 0 4 8] ^^"ry h • T^iya ymmii-trc, fi-^- 
S (6 3 1) stilts /cfct^gPlilS^ltlt^o ^-^ 
[0 0 4 9] b®l)^S;&tiMt2.^ffi® 1 m 

y^yv ■ 7-i';i/^uy;;^-x-i;x>h*^$*n5o 

•fxi^m-mm>WiC\t. s/identdSWSPl d a P 

[0 0 5 0] -sryu^-i'ay^^^Ttsi:, 7:^ 
A-r?.o 7yu^-i/3y(D$s^tti:-j't> mmm 

IS^'^^t^h (6 2 1) o 

[00 5 1] ^iJ^tfltKW^iJSfflJitt, V p N b ys^)\y 

\zWo^. VPNifD'diL^fe{i:tt-it<S^5^'^> 

uMs.tm%!^'^~y • V7f•y^cws^^■r^ 7 

y • U^;b©^MIlJ©&iJtt. "John DoeC U 7;V • i^-T 

mwm^ks 7r-r7'>*-;i/- 7yu':r-^>3y{cfc 

l/^T. 7 7'f'7'>^-«M^W{b-r2.o 

[0 0 5 2] ;^x7y6 : y~mmm&t^mm 

ff^nS (6 2 3) o 

[0 0 5 3] ^mmmZ'li. iicn-F • -tr^y bli^^-Jr 
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5o /■?':r7FmaA;'3^^5p<-^tt^ PBUF. xi-y 
i/3 y • ;<tum stf/^-^-y h • 7!7'y3ymx 

px«tg©Mt)n-Ftt> paction.ttJf-YyT* 
;5o pactlon_t^'^y©W. 0 1 0 tJIJ^^tlT/l^^ 

[0 0 5 4] ^^^y hMffiaAV^>y<y F;feft?fi!-rS£Dt 
i/aymnt^ (6 2 7) o ^^'^r-y F A"iSlUti3^;i* 

10 m&t^tt. y-vmrnrnm^n^o m^t 

[0 0 5 5] at. Fffi««t^5aa%ii:Tisfc 
7i^'yaymmmmm(ommntirj:\,\ m 

xtf. VPNFy:^;WcJ;0. 7'>F/^'i'>F- 

[0 0 5 6] XT'V-fl : ^^'^■^y FMO^Tfi. $IJ®1 

fcttimwiciaats (533) „ 

[0 0 5 7] la 1 Ui. r-^ • ^■^'^■^y F(D5flS^^^ 
F7-^ •'l'>^7x-Xg«l 1 0 1_^# 

i:nttM^'yFy-i^*^?.^^'^>>F^§feU 
y7F*4^li7Ko;l'-F -y-FtcffiU S/cJMt, 

-F • /-F*^c/^^<y F^SMu /^-^-'y vmm^-' 

7 Fy-^liij^ttSo eWiM{c^^^7 F • 
30 ;H 10 3;&$». i:ntt^*W;V-to?y-K*^?' 

?/-F'N.^^^':r7 F^Sjl^Wtgltigb. <:©§(t)g 
L«^'!i*©7kl/'^^I^©^ 1 FA'*. ^<D^ 1 O 

F©/- FS^«StS c fc^^tSTlSlE^ 

P'^;UOif©|gi©?y-Ffc. ;^©P^;U®^ic? 
7-FO/-Fa?P^)SSL%<*?.ST. T-'^-'^ 

[0 0 5 8] F • ■tv^'a-yU 1 1 0 3**ilt5 

40 7 7^7-^7*-;!/ ^t- 

[0 0 5 9] mmmmmmmmi. m^i^^t 

?y-FA^ MfB^lO?/-F©y-FSP^)i£t 
50 ^Ct^mtr\ T—^ • ^^'Jr-y F%^ 1 ©^U'^;!/ 
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y - F . tuiaic < ly^mmmf^ i - k© 

[0 0 6 0] *fgB^®giJtD^»Jti. ?y- Ffi:fe^,^T 

wmm^yri ^Tsij^^mt^ m^-^^mm^ 3 

>T+X Vt^^tS. Z.<D^m.\m^'<i. K • T-i 

[0 0 6 1] *fg0^ttM-K'>x7, V7b'^x7, S 
K'i? x7 h V 7 b x70iiH*^t>H*-{C J; t)* 

x70A§yWi*^^-ti-li> nyifa-^ • ^D^°^ 

ay}£a.-^ • ^P^'^Aifj^nytfi-^ • i/Xr 

$/c, nyea-^ • ypi^5ASiart{cai6iisnT 

[0 0 6 2] ilil-pa. nyi^a-^ • yp^^A^g 
FSfcttgfBSCj;^. ^^-^7 hOffiScDgJMSi* 
^SfDate^ESWtllff^-^SAv BgiHi. 1) 

gij©m 3-Ftrca^ta}i'\om Rifz) 
[0 0 6 3] m&mmit. ^mmmm-xsmmn 
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10 T. z.z.x'&^rz.'mim. w\cwm<jywm^-y ^ 

fc<o 

[0 0 6 4] ^tibtLX. *f|B^©McMbTWT 

20 [0 0 6 5] ( 1 ) T-'^ • ^^-^-'y F^^WS^&f- 
&oX. j^mtO)l-V • y-Ftfci/^T. r-^ -^^ 

1 s5ia^ 1 ©?©y- FS^p^ifi-r 

Mta^ 1 0?AWar-^ • /^-b-y h*®-&/^y 
F {cffMt 5 Xr 7 t . < iA©l^'^;Vtt3ltai^O 
tKP'^;!^©^ 1 B(jtE^©*U'^;l'©MtS^ 1 © 

?©/-FS^«sb*<%5ST% mwmM^^ 

(2) tulBglt!i-rxr7/A"«. Xr-^Xig^%)iJn 
rSP-F'-t-yF^^tfrsXr-y/^^ty^ Mia 

(1) ta«om 

(3) lufajgfiSc-rsxT^y*^ tuia^io?A^5it^ 

t^fr^nsn-F • -t-)/ F^t^tSXr-yy?:^ 

tf, ilia (1) !a^©m 

(4) HiiiaJis-rsxT-y:/*^ lifitcj^v^TUff^n 

• -b'y F*igS-rsXr>v:/5:^tr, Mia 
40 (3) IBl©m 

(5) Mfa»^7K©'>&< iit 1 \y<Mz. tfe 

i/-F;&iiWfi:jiiin-rsxr«yy*^ty, Mta (i) 

( 6 ) Mia'>* < 1 o©ff/c*? y - FA'*'; 7;b • 

i^~r4^ • y-Ff-$s^ Mia (5) ia«©*)4<, 

(7) /■^'Jr-y F^^W^^ffi-efeoT. MIB^^-^r^ F 
{C^*LTlfTft'©^^'>-7 F^'ST'P-bX^MWtSXT 

•y^t. Mia^^J^(cfcv^Tiiffl?n5^i.gi5it^*>it#t 

5Xr7/t*^ty. m 
50 ( 8 ) Miaitf t5XT>y m MIB^I-gPlfffif^ J: \) . 
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is. mm a) mm<Dm. 

(9) mmmmmm^^'ry Y<om7i<owi%mf; 
ts. Mfa (8) fa«©m 

(10) mmmmmm^^'r^yh<DmmwM^ 
tts. mm (8) t3«©m 

(11) ^Wa-txA^M^niB6*^W^n-t;^Tfe 
luia (7) laiom 

(12) tuia;i^^^^7 h*^3^i?#fL. M11fl8«:4 

figti.xr 7 /^#ty. tuia (1) laiKom lo 

(13) Miai^^^'ir-y ht^^tSX 

r7-/^#ity, bsib (1) las^m 

(14) Mfa/^^r.y Ym&mtmm<Df^ i ®?h:m 
l{iffj5XT<y:/^^ty> luta (1) lajgom 

(15) MfBlt©^ 1 (D^m\'\ 3- H • -b -y h «; 

llfftSXr^y^^iy. tfiia (1 4) IH^om 
(1 6) Miar-^' • J^'ry ^oM»*i*£tSXr7 

y*#tf. Mta ( 1) latc^^So 
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